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Abstract. We present a new fast proveable secure MAG called XMAC 
based on universal hashing, in the construction we use new families of 
universal hash functions which are especially well suited for tree-like 
hashing. Furthermore, we develop an effective tree-like hashing proce- 
dure. The proof of security is simple and easy to verify. The end result 
is a very effective MAC which is fast on both short and long messages 
achieving a peak performance of 2.2 clock cycles per byte on a Pentium 
HI processor for a 64 bit tag with a forgery probability of 2~ 52 . The 
design makes it fast on most platforms. 

Keywords: MAC* universal hash, tree, stream cipher, Rabbit 

1 Introduction 

A Message Authentication Code (MAC) provides a way to detect whether a mes- 
sage has been tampered with during transmission. The usual model for authen- 
tication includes three participants: a transmitter, a receiver and an opponent. 
The transmitter communicates a message over an insecure channel in which the 
opponent has the ability to introduce new messages as well as altering an exist- 
ing message. Insertion of a new message by the opponent is called impersonation 
and modification of an existing message by the opponent is called substitution. 
In both cases the opponent's goal is to deceive the receiver into believing that 
the new message is authentic. 

In many applications, it is of significant importance that the receiver can 
verify the integrity of a message. In some cases this is even more important than 
encryption [lj. Often encryption and authentication are both required. With the 
emergence of fast software-based encryption algorithms like Eijndael [2], SNOW 
[3], Rabbit [4] etc., the need for fast software-based message authentication codes 
is increasing. Some attempts have been made to construct an integrated MAC 
and encryption algorithm e.g. Helix [5j. However, such approaches make it hard 
to prove the security of the MAC part. Moreover, there exist constructions that 
can be proven secure with respect to an underlying cryptographic primitive. 
Prominent examples are HMAC [6] and the universal hashing approach [7], 

The construction presented here is based on the universal hashing approach. 
Universal hashing was introduced in 1979 by Carter and Wegman [7]. A uni- 
versal hash function family is a set of functions fulfilling certain combinatoric 
properties. For example, a family is called £-universal if the probability of a col- 
lision in a randomly chosen function evaluated at two different points is no more 
than 



I 
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In 1981, Wegman and Carter suggested using universal hash functions for j 

• message authentication (8], In their approach, a given message is hashed with ! 

a randomly chosen universal hash function whereafter the output is encrypted i 

with a one-time-pad in order to obtain the MAC tag. Since the universal hash } 

functions are only required to fulfill, in a cryptographical sense, a rather simple j 

combinatoric property, they can usually be constructed to bo very fast. Recent ; 

research has been successful in achieving impressive speeds. Noteable examples I 

can be found in [9-13]. In particular, UMAC [12] which has been recommended | 

in the NESSIB portfolio [14), has achieved speeds on a Pentium III processor ! 
j Of 1.8 clock cycles per byte 1 with forgery probability of 2~*° for a 64-bit tag. 

i However, for very short messages the performance is slower, e.g. 12.6 clock cycles ; 

i per byte for a message length of 43 bytes with the same forgery probability. ; 

It is the aim of this paper to construct a Wegmau-Carter based MAC which i 

is fast on both short and long messages. The performance on short messages is i 

important as the MAC function used in IPSec operates on 43-1500 bytes {15] : 
and the MAC function used in TXS operates on 0-17 kilobytes. In addition, the 
setup procedure must be simple and fast, as the number of messages and amount 

of data processed per setup is small in many applications, e.g, TLS. Finally, the ; 

MAC is required to have verifiable-selectable assurance 3 , * 

In order to achieve high performance we introduce new families of universal i 

hash functions especially well suited for tree-like hashing. These are obtained ] 

by reducing ^-universal hash families to universal hash families. This results in ! 
significant performance gains for small compressions. Furthermore, we develop 
an effective tree-like hashing procedure which basically consists of combining a 
tree hash with a linear hash. The construction is provable secure (relative to a 
cryptographic primitive) with relatively simple proofs. 

The paper is organized as follows. In section 2 we present the Definitions 
of the different classes of universal hash families and composition theorems. In 

section 3 we introduce a simple method to reduce delta-universal hash families } 

to universal hash families. A modification to the simple tree hashing scheme is \ 

presented in section 4. Section 5 contains the specification of XMAC and the I 

performance results are presented in section 6- We conclude in section 7. 1 



2 Universal Hashing and Message Authentication I 

\ 

w 

» 

As mentioned above, Wegman and Carter [8] discovered that it is possible to use ] 
the notion of a randomly chosen strongly (see below) universal hash function to 1 



A 16-bit version of UMAC optimized for Pentium III SIMD technology has better j 
performance. A similar modified version of XMAC using 16-bit multiplications could 

also gain a significant performance boost on the Pentium III processor. ! 

For a more detailed description of verifiable-selectable assurance, see [12). In short, I 

this means that the receiver can verify to lower assurance levels than for the full tag j 
in order to increase performance. 
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compress a given message and encrypting it using a one-time-pad 3 . We describe 
briefly in the following why this is possible. 

Let us first Hst well-known Definitions of universal hashing. 



a Of course, a cryptographic primitive like a stream cipher can also be used to generate 
a pseudo-random key, but then the security depends on the security of the primitive. 
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Definition 1 An e-almost-universal (e-AU) family H of hash functions maps j 
from a set A to a set B, such thai for any distinct elements x>x' e A: 

Ph k €Jf(h k (x) » M*0) < « (1) 
& is universal (U) ife=\f\B\. 

Universal hash families were first defined by Carter and Wegman in 1979 (7). 
c-AU hash families were defined by Stinson in 1991 [16]. 

Definition 2 An e-almost-A-universal (e-AA U) family H of hash functions 
maps from a set A to a set B, such that for any distinct elements x,x f € A 
and for all as B: 

Ph k <sH(hk(,z) - h k (x') - a) < e (2) 
H is A-universal (AU)ife=l f\B\. I 

e-AAXJ is a generalisation of the *-Almost~Xor-Uni versa! (e-AXU) family of hash 5 
functions defined by Krawczyk in 1994 (17) to arbitrary abelian groups and was 
given by Stinson in 1996 [18]. 

* 

Definition 3 An c-almoststrongly-universal (e-A$U) family H of hash func- 
tions maps from a set A to a set B f such that for any distinct elements x' € A 
andalla.beB: 

Ph*eit(h k (*) = a) » l/\B\ (3) | 

and j 

Ph h €H(h k (x) = a, h h (x') « b) < c/\B\ (4) \ 

H is strongly universal (SU) ~ 

SU hash families were first defined by Wegman and Carter in 1981 [8], The con- 
cept of e-ASU hash families was introduced in [8], and was later formalized by 
Stinson in 1991 (16). 



Moreover, hash families can be combined in order to obtain new hash fam- i 
ilies. The below composition theorems (see (19]) describe what happens to the 

resulting e, domains and ranges. ! 
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Composition 1: If there ex3sts an s^AU family ff t of hash functions from A j 

to B and an e 2 -ATJ family # 2 of hash functions from B to C, then there ex- i' 

ists an *-AU family # of hash functions from A to C\ where = x # 2) j 

l-^l — l-^il - |H 2 |, and = d + e 2 -eie 2 < ei + e 2 . i 



Composition 2: rf there exists an £ X -AU family H y of hash functions from A \ 

to B and an € 2 -ASU family H* of hash functions from B to C, then there ex- ! 

ist 3 an e-ASU family jftT of hash functions from A to C, where # « #i x # 2 , I 

|£T| = - J^T 2 |, and € » ei 4- c 2 - eie 2 < €i + c 2 . i 

• 

From the Definitions it follows that strongly universal hashing can be used ] 
for message authentication. If we denote the probability for an impersonation » 
attack to succeed by P t and the probability for a substitution attack to succeed 
by P* 7 we have the following Theorem(see for instance [8, 19, 20]): 

Theorem 1 There exists an e-A SU family of h&sh functions from A to B if and 

only if there exists an authentication code with \A\ messages, \B\ authenticate™ ! 
and k - \B\ keys, such that Pi = 1/\B\ and P A \ 

A similar version for *-AXU families has been proven by Krawczyk [17}. The 
particular Wegman-Carter MAC can be defined as: 

Definition 4 Given an z-ASXJ family H of hash functions mapping from a set 
A to a set B t a nonce, n, and a random pad f(n) t then the Wegman-Carter 
MAC is 

MACwoflW; At, f(n)) » h h {M) © /(n) t (5) 
where k is the random hash function key and M is the message. 

A new nonce must be used for each application of the MAC to ensure the un- 
conditional security of the construction 

In the next section we will describe a method to reduce delta-universal hash 
functions to universal hash functions. It turns out that these new universal hash : 
families are particularly well-suited for tree structures. ! 

3 Reducing Delta-Universal Hash Functions to Universal 
Hash Functions 

As seen above there are different classes of universal hash functions, e.g. strongry 
universal, almost strongly universal* delta-universal, almost delta-universal and 
so on. The latter are contained in the former. Furthermore, it is possible to 
convert classes into other classes. Fbr example, it 5s possible to convert a delta- 
universal hash family into a strongly-universal hash family [11]. 

For our construction we convert the ^-universal hash family, MMH* t pro- 
posed by Halevi and Krawczyk [13] into a strongly universal hash family. This 
is accomplished by adding an additional key, in the following way: 

n 

MMXj?{M) - mtki) + kn+i mod jp, (6) 



I 

t 
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where p is a prime number, M mi||...||rn n and ro*, fe £ <= {0, ...,p - 1}. 

In some cases it is also beneficial to do the opposite, i.e. to reduce a stronger 
family into a weaker family. This is, of course only relevant when a performance 
gain can be achieved. This is illustrated in the following. 

Theorem 2 Let H A be an e-almost-dclta-universal hash family from a set A to 
asetB. Furthermore, consider an additional part of message m b GB. Then the 
family consisting of the Junctions h k {m>m b ) = fy?(m)+7n* is e-almost-univer&al 
for equal length messages. 

Proof. From the Definitions above we have for m ^ mf: 

Pr[k k (m f m h ) ~ K k (rnf, m' b ) = 0] = Pr[fc£(m) +Tn b ~- h£{m') -m b = 0) (7) 

or 

Pr[/#(m) - ftf (mf) = mf b - m b » 6) < e , (8) 

since H A is an c-almost-delta-umversal family. The case when m. ~ ro' but 
m b ^ to£ is trivial ■ 

A very fast universal hash family is the NH family used in UMAC [12]- It 
was proposed in [21] based on a previous construction by Wcgman and Carter: 

1/2 

N& K (M) ~ ^fat-i +w mzi-i) • (/c 2 £ +u m 2i ) mod 2 2ty , (9) 
i=t 

where M-ti/ means 'addition modulus 2 W \ and m^fe € {0, ... ( 2 W - 1}. It is an 
2~ w -almost-delta-uni versa! hash family. In [12] only the universal property is 
explicitly proven. 

Corrolar 1 The following version of NB: 

N&K (m) = (hx -r w mi) « (k 2 +t» m 2 ) mod 2 3tt \ (10) 
is 2~™-almost-A-univer$alfQr equal length messages. 

Proof. This proof is just a slight modification of the one presented in [12]. We 
must show that 

Pr[(fci + m x )(&2 + m 2 ) - (hi + m-iXfe + m£) = 6] < 2"^, (11) 

as in [12] all arithmetics is carried out in Z/2 2v >. We assume that ^ 
Define c=fe 2 +m2 and d «= k% 4- m£. By assumption it follows that d.So 
we have 

Pr[(fci + m,)c - (fei + mi)c' - = 0] < 2~ w . (12) 
since from lemma 1 in {21} the equality will only be satisfied by one h x m 
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According to Thcorem2, this family can be reduced to an e-almost-universal I 
hash family: 



» Ttoz, m- 3 , 77i4, ki 7 fa) » (mi +3 2 &0(77* a +32 £2) m 3 +04 2 32 7n 4 , (13) 

where all arguments are 32-bit and the output is 64-bit. The collision bound is 1 
e = 2- 32 . ! 

The question is if this construction is useful and if so how can it be used - I 

most effectively? The construction is useful when the domain \A\ is not much ; 

larger than the range, but useless when \A\ » |J5|. • 

Thus, if relatively short messages are hashed for each key, the extra block * 
results in a significant performance gain. This is the subject of the next section, 

4 The Modified Tree Construction 

An immediate use of the above defined hash family is in a tree-like construction. 5 
As an example of a tree construction we assume that the message length can be j 
written as \M\ 6-2 n where b is some given block length. We also assume that a i 
«twc-to-one 5 ' universal hash family is given, i.e. a member of H takes a bitstring 
of length 26 and hashes it to a string of length 6. Then we can construct a new 
universal hash family taking strings of the length \M\ and hashing it to strings 
of length b by the well-known tree-construction. The depth of the tree will be n. 
Clearly such a tree construction is the same as successively applying n parallel 
hashes. We define the parallel hash family [22] as follows: 

Definition 5 Given a message M — mi||...]|m e « with length \M\ = bc n , we 
hash c blocks at a time with a universal hash function, hk € H taking be bits to 
b bits and concatenate the results. The result is a string with length be*" 1 . We 

denote the hash family by H piLr and a member by h%. ar . ] 

c 

h^ T {M) » h k (mi J ...,m c )\l..\\h k (m c ~~ c +i,.„ i rn c ~) (14) 

It is easy to see that if H has a collision bound of e then so does the parallel \ 
hash, iy par . We define the usual tree construction as follows: 

■ 

: 

Definition 6 Let a message M be given with length \M\ — be* 1 for any integer \ 
n. We define a new hash family by applying h^ r n times, each time with a new - 
random hi. We denote the family by H£ eA and a member by: 



r 
% 

We say that the tree has n levels, ' 

Theorem 3 The above defined family, H%* c , is a 1 - (1 - e) n -universal family 5 
of hash functions for equal length messages. 
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Fig. 1. Figure (a) illustrates the traditional tree construction using the parallel hash 
and figure (b) illustrates the modified tree construction using the modified parallel 
hash. 



Proof. Let us define a as the collision bound for then we have for Hl^. k „z 

^[^(^(m)) - ^(^ fc ,(m0) = 0} < e t (l + (16) 
Solving the recurrence we get: 



n-2 



(1?) 



The hash family defined by Eq. 13 is very well suited for binary tree con- 
structions. However, in such a tree the message lengths must be the block length 
times a power of two. An immediate generalization would be to do as suggested 
by Wegman and Carter {8], They suggest breaking the message into substrings 
of length 26 and if necessary pad the last substring with zeroes. The resulting 
string is hashed with the parallel hash. If necessary, the resulting string is again 
padded with zeroes. This is repeated until the resulting string has length 6. 

This procedure is not always optimal as illustrated in Fig. la. The reason 
being that for most message lengths, e.g. message lengths not equal to a power 
of two, extra applications of the universal hash function are needed. Of course, 
this is only significant for short messages. We propose the construction below. 

First we define a modified parallel hash: 

Definition 7 Given a universal hash family, H, taking be bits to b bits with 
members, h h} consider the message M, where \M\ is a multiple of the block size 
b, i.e. Af _ mi]|,.||T7^ and \M\ — qb. Define r c = q mod c, then the modified 
parallel hash can be defined as: 

{M m i>»M^)Il<..||Mm«-c+ii"-,in v ) if r c = 0 
^kimx^^m^l^lhk^ if r c ^ (T ' 



y 

i 

t 
t 
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Property 1 The modified parallel hask is e-almost universal on equal length 
messages 



Corrolar 2 Given a message with length \M\ =* b(c n ~ 2 + r) where 0 < r < 

€ Z 7 C Z X ^ e modi fi ed hash defines a 1 - (1 - e) n -almost universaljamily 
of hash Junctions on equal length messages. 

Proof. This follows from Theorems, when the usual parallel hash is replaced 
by the modified parallel hash, since both are ^almost universal, and that the 
number of levels axe the same in both cases 4 * 

As an example consider the case when c = 2. The message as divided into 
blocks of size 6. If the message length is not a multiple of 6, zeros are appended to 
the message such that the length becomes a multiple of 6. If the length hereafter 
is a multiple of 2b, the hash function is applied to each block and the results are 
concatenated. If the length Is an odd multiple of 6, the hash function is applied to 
each block except the last block. The results and the last block are concatenated. 
The procedure is repeated until the size of the result is b. The construction is 
illustrated in Fig. lb. 

Note that the construction can alternatively be denned in the following way 
(we use the binary case as an example): Let the message length be given by 
l M i ~ 6 Ei=o «i 2 where *» € {0, 1}. To each term, <n2*, in the sum, corresponds 
to a tree with i levels. We order these trees according to size with the largest tree 
first. More precisely, we use the tree hash for each group of data corresponding 
to a term in the sum, concatenate the result, and linearly hash it backwards, 
i.e. take the 6-bit block as output from the last tree and hash it with the result 
of the second to last tree and so on, until only one 6-bit string is left. In other 
words, the construction consists of a scries of concatenated tree hashes followed 
by a linear hash (22]. For the example in Fig. lb the message length can be 
written as: \M \ = d(2 3 + 2 1 + 2°). There is one tree with 3 levels, one with 1 level 

hi a Wegman-Carter binary tree hash, a message consisting of an odd number of 
blocks is padded up such that the number of blocks is even. This is done after each 
application of the parallel hash. The number of levels is equal to the number of levels 
of a message of the nearest larger power of two. Now it is easy to convince oneself 
that the number of levels of the modified tree hash is exactly the same. 
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* 

Proof In the first case, where q is a multiple of c we simply have a parallel hash i 

and the bound on the collision probability is e. In the case where q is not a » 

multiple of c, there are two possible situations. Either the difference in the mes- I 

sages M and M' is in the part, which is processed by h k> or in the part which I 

as not processed, but simply concatenated to the result. In the first situation i 

the bound on the collision probability is €. In the second situation the collision i 

probability is trivially zero. Therefore, the bound for the collision probability of * 

the modified parallel hash is e^ ar = max(e,0) « e V | 

It is straightforward to define a modified tree hash, i.e. define it as in Defi- 
nition 6 but use the modified parallel hash instead of the usual parallel hash. 
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5 The XMAC Specification 

A schematic pseudo-code of XMAC is presented in the box below. Below we 
shortly describe the different steps of the algorithm. 

To generate the key material for use in the universal hash functions, any 
secure pseudo-random generator is applicable. In this algorithm we will use the 
stream cipher Rabbit [4], which is seeded with a 128-bit key. We define the 



i 

! 

and one with 0 levels. The hash results of those trees are then linearly hashed j 
starting with the result from the smallest tree. ! 

The above construction is only almost-universal for equal length messages. ! 
lb ensure universality for different length messages we simply concatenate the j 
length of the given message in a fixed 2-bit format [12, 22]: I 

Definition 8 Fix z > 0 and let the message, M, have any length less than 2*. 

Define L z — \M\ to be the z-bit representation of the length and define H* as \ 

the family: \ 

ki(M) m h k (M)\\L a . (19) ! 

We then have the following property: ! 

i 
i 

Property 2 The hash function family H* is I ~- (1 ~ e) n -almost universal. 

Proof. In the case \M\ £ \M% the collision probability is trivially zero. In the 
case \M\ = |M'|, the collision probability is defined according to Corrolar 2 by 
the number of levels necessary to compress the message Wk 

In order to use our universal hash function in a MAC, according to Theorem 1 * 
we need to apply a strongly universal hash function to the output of fcj, i.e. ; 
h%F(h%{M)), This strongly universal hash function maps an input of size b -f- z 
bits to an output of a size appropriate for the collision probability. 

Theorem 4 The hash function family consisting of the members h£F(h%(M)) 
is etree + (1 — ttrec)e$u -almost- strongly universal. 

Proof. According to composition 2. ■ 

Finally, it is easily seen that the amount of key material, Nuac(M% needed 
for a given message M is given by 

^mac(M) = NvceU\lag c (\M\/(b))\ + N S u> (20) 



where Nu is the amount of key material needed for the basic almost-universal 
hash function in the tree and N$y is the amount of key material needed for 

the strongly-universal hash function used in the end. Note that the amount of i 
needed key material is the same as for the usual tree MAC. j 
In the next section we explicitly specify XMAC. 
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maximal length of a message to be 2 M bits, requiring maximally 58 levels in the 
tree and, hence, 58 64-bit keys, Furthermore, 6 keys belonging to the interval 
{0, »»« j 2 31 - 2} need to be generated for the strongly universal hash function. 

To process the message, it is divided into 64-bit blocks, and padded with 
aeroes if necessary. The message is then processed with the hash function de- 
fined in eq. (13), fc^m^m^), where A^m^m* € {0, ...,2 s4 - 1}, in a modified 
binary tree construction as defined in Definition 7 and the text below, until the 
message is compressed to 64 bits. The length of the message measured in bits is 
represented as a 64-bit number and concatenated to the 64-bit result. 

The resulting 128-bit block is appended with 22 zeroes and divided into five 
30-bit blocks and hashed with the strongly universal version of the hash family 
MMH* defined in Eq. 6. The prime field is chosen to be {0, .,. } 2 31 -2} to ensure 
simple overflow handling and modulus calculation in 32-bit implementations. 

The final, tag is generated by XOR'ing the output of the hash function with 
a pseudorandom pad, according to Definition 4, To generate the pseudo-random 
pad we use the IV-setup function of Rabbit with a nonce as initialization vector, 
The size of the output from the hash function is in principle 31 bits. However, 
we encrypt the output with a pseudorandom pad of size 32 bits, to make the tag 
match the 32-bit register size. 



Function h(Jk % mx f m2) 
1. return {mi -j-32 k) • ((mi 3> 32) -Ha (fc » 32)) +64*^2 

Function XMAOk (M x nance) 

1. Generate 64-bit keys: Rabbit x m k\\\...\\k& a 

2. Generate keys € {0, 2 31 - 2}: RabHtrc *= fcf||"ll*S 

3. L = \Af\ 

4. while \M\ mod 64 ?£= 0 do: M — Af{|0 

5. for t = 1 to i m ctil[log<i(L/64)] do: 

JW = i 5f t * s even > return M^t«*it"»a)ll'"BM*»f mt-i f me) 

\if t is odd, return fc(*i,mi,m2)]l...|lMfe»m*-3*m*~x)l|mt 

6. Append to M the 64-bit message length L } Q ~ M\\L 

7. Divide Q into 30-bit blocks and append 22 zeroes, Q = £i||..»|[ss||0|M|0 

8. 5" = (E?«i + *P mod 2 sl - 1, 

9. return S © Rabbit k {nonce) 



t 

i 

i 

> 

I 
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The forgery probability depends on the number of levels in the tree, the bound 
on the collision probability for each level in the tree is ss 2~ 32 . For the 
strongly universal hash family we have &su = l/{2 31 - 1) « 2~ 31 . The maximal 
number of levels in the tree for a 2 64 bit message is 58. Using composition 2 
and Theorem 3 the forgery probability is: <■ < € S u 4- (1 — €sv)(l — (1 — e^)") « 
2~3i + {1 _ - (1 - 2~ 32 ) 58 } « 2~ 2$0d . 
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" A forgery probability of 2~ 26,09 is insufficient for most applications. However, J 

a simple method to reduce the forgery probability is to hash the message y times f 

. with independent keys and concatenate the results. This method results in a : 

forgery probability of 2~ 2S - 09 ** To obtain 128-bit security we need to hash the 1 

message 5 times yielding a probability of 2" 150 and a tag size of 160 bits. In { 

particular, this leads to the verifiable-selective assurance as each 32-bit tag can j 

be verified independently. j 

* 

6 Performance 

i 

We measured the performance of the algorithm specified above on a 1000 MHz 
Pentium III processor. The speed-optimized version was programmed in assem- 
bly language inlined in C and compiled using the Intel C++ 7.0 compiler. All * 
performance results in this section are based on generating a 2 - 32 bit tag. 

In Table 1 the performance results are presented for two cases. The first case ! 
is where the pseudo-random pad is generated by the Rabbit stream cipher after ! 
being re-initialized by the TV Setup function, with the nonce as initialization j 
vector. The second case is where the pseudo-random pad is generated by contin- j 
uing the extraction of pseudo-random data from the Rabbit stream cipher. This > 
eliminates the need to perform the rather expensive IV-setupi but is only useful 
when messages are guaranteed to be received in the same order as generated. 
This situation corresponds to interpreting the nonce as an iteration number of 
the stream cipher. However, in most applications the IV-setup is necessary, as 
for example in IPSec communication. 

Since, the key material in XMAC depends on the length of the message, op- 
timized versions can be used in applications where the message length is upper 
bounded, For example, in typical IPSec applications, the message length can- 
not exceed 1600 bytes and when authenticating TI/S [23] protected data, each 
message cannot exceed 17 kilobytes. Furthermore, the strongly universal hash 
function is simplified since parts of the input is zero, see eq. (6). The properties 
of XMAC when the message length is limited is shown in Table 2. 

The performance of XMAC and UMAC is illustrated in Fig. 6. Without the 
IV-setup XMAC is about a factor of 4 faster than UMAC for very shor messages 
and with the IV-setup the performance on short messages is about the same. 
On long message the speed is still remarkable, and almost the same as UMAC. 

Table 1. Performance results with and without rvVsetup. "Key setup** includes gener- 
ating all keys for the e-AU and SXJ hash functions, "Universal hash" includes processing 
the tree, and "Finalisation" includes the SU hash function and generating the pseudo- 
random pad. 
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Table 2. XMAC properties for various limited message lengths. "Memory req. 1 ' denotes 
the amount of memory required to store the internal state including key material, 
temporary results and an instance of the Rabbit stream cipher. "Fin. no IV" denotes 
realization without TV-setup and "Fin. IV denotes Bnalization with IV-setup. 
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However, the forgery probabilities are a little better for UMAC. Note also that 
XMAC is still not fully optimized. 
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Fig. 2* The performance of UMAC and XMAC as a function of message length. 



7 Conclusions 



We presented a MAC called XMAC bas ed on universal hashing. We introduced 
new families of universal hash functions especially well suited for tree-like hash- 
ing. These were obtained by reducing /^-universal hash families to universal 
hash families. Furthermore, we developed an effective tree-like hashing proce- 
dure which consists basically of combining a tree hash with a linear hash. The 
proof of security is simple and easily verifiable. XMAC is both fast on short and 
long messages achieving a peak performance of 2.2 cycles per byte on a Pentium 
HI processor with a forgery probability of 2~ 52 for a 64-bit tag. The necessary 
key material for the hash functions is only 976 bytes, making the setup very fast. 
The design makes it fast on most platforms, and especially well suited for small 
32-bit processors, due to the small memory requirements. 
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8 Claims 

X 

1. A method for generating a, cryptographically secure checksum (also called j 
MAG or tag) of a digital message to be used for authenticating the mes- t 
sage. The method comprising dividing the message into blocks of a certain * [ 
size, which are combined using a compression method to obtain fewer blocks. * 

2. A method according to claim 1 where the process of compression is repeated j 
a number of times so as to end up with 1 or more blocks being the checksum s 
or to be used for calculating the checksum. j 

S 

3. A method according to claim 1 and 2 where the compression method used to ! 
compress two input blocks (m t and m<z) into one output block (h(k, mi, ma)) * 
given a. cryptographic key (h) is 

h(k 7 mi,W2) — (mi +33 fc) < ((mi » 32) (fc » 32)) +$4 m 2 (21) 
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